UniFi Security Gateway – Bypassing Orange LiveBox
UniFi Security Gateway – Bypassing Orange Livebox
As a homelab enthusiast and datahoarder, my network is not what most people would consider “normal”. I have needs…or at least I have created needs that I have to find a solution for. After a year of using the provided Orange LiveBox in IP Passthrough mode along with my Box Router/AP combo, the sub-par reliability and overall dissatisfaction with the hardware and aging Orange Livebox Router pushed me over the edge, and I finally purchased a UniFi Security Gateway. I have plans to expand my UniFi gear over the next few months, but the first step was the USG, and hopefully taking the router out of the network. Based on this post I knew it could be done, but I didn’t know how long it would take, or if I’d be able to pull it off without having to rebuild my entire network. The good news is that yes, I was able to bypass ‘s hardware, but along the way I made a few configuration mistakes that ended up with my needing to switch subnets and remap a few things. Not the worst outcome, just took me longer than I hoped.
The instructions provided by Taylor Smith at the above link are pretty thorough, but they seem to come from a perspective of already having the USG installed on your network and configured, maybe as a Router behind your device (in IP Passthrough mode, as mine was). My situation was a bit different – I purchased the USG with the sole intent of replacing my Router and bypassing the modem from the get-go. In addition, I intended to host the UniFi Controller software on one of my servers in Docker, rather than as a stand-alone piece of hardware – this posed a few interesting challenges. Following is my attempt to document the steps I took that were helpful, and what I’d do if I needed to do it all over again from the beginning.
Existing Setup:
ONT ==> Modem (in IP Passthrough mode) ==> Orange Livebox (Router/AP combo) ==> 2x 8-port unmanged gigabit switches, ~10 wired clients and multiple wireless clients.
192.168.1.1/24 DHCP range, clients within 172.16.0.6-172.16.0.100 range.
Of note, 2x hardwired servers – 172.16.0.80 and 172.16.0.81 – running as Docker hosts. *.80 is primarily media related, *.81 is primarily one-off containers (vpn, guacamole, etc).
Step 1:
Create UniFi Controller Docker container, I used the linuxserver.io container that can be found here.
It’s important to note the section in the container instructions regarding the “inform ip address”:
For Unifi to adopt other devices, e.g. an Access Point, it is required to change the inform ip address. Because Unifi runs inside Docker by default it uses an ip address not accessable by other devices. To change this go to Settings > Controller > Controller Settings and set the Controller Hostname/IP to an ip address accessable by other devices.
After creating the container, I followed the setup instructions found in the linuxserver/unifi-controller container documentation, in combination with the Quick Start Guide that came with my USG. After logging in and making the basic configuration changes, including changing the inform ip address (I changed mine to the IP of the Docker host, as I was passing the ports from the container to the host anyway), THEN you can take out the USG and start the process of adding that to your network.
Step 2:
Make a note of the IP address for the controller and the inform ip address
Pull up the controller page on a hardwired machine – I found that once I had the page loaded, I could keep making changes in the controller interface as long as I was on the same switch, even when I didn’t have an active DHCP server – this is important, because swapping out my Router meant that I wouldn’t have DHCP until the USG was online, and in order to get the USG online, I needed to have access to both the internet and the newly-created UniFi Controller web portal.
Before unplugging anything or making any changes, make sure you have all the files downloaded from Taylor Smith’s post.
The end state for this step: ONT ==> Modem WAN/Broadband port; Modem LAN port ==> USG WAN port; USG LAN1 port into unmanaged switch, Docker host server also plugged into the same unmanaged switch, computer being used to connect to UniFi Controller portal also plugged into the same switch. Nothing else plugged in. Do not have anything else plugged in, do not turn anything else on or off, and DO plug in the USG to power so it turns on. Nothing other than the mentioned device should be connected to the network at this stage.
Step 3:
Adopt the USG in the UniFi Controller portal – it should be automatically recognized, you may have to do some troubleshooting on the UniFi documentation if it doesn’t show up right away. I found the following page helpful:
https://help.ubnt.com/hc/en-us/articles/360012622613-UniFi-Device-Adoption
Step 4:
Now that the USG is adopted and showing up in the Controller portal, you can move on to Taylor’s post.
Make sure that you follow the steps precisely. I thought I had done everything correctly, but it turns out that after midnight all ethernet ports look the same – make sure you are plugging the right cables into the right ports, at the right time!
Step 5:
Once the USG is set up to bypass the modem, you can rebuild your network. This is where I messed up. Remember back near the beginning when I used Docker? Yeah, the default subnet for the USG is 10.0.0.1/32 – when I changed it to my subnet of 192.168.1.1/24, I forgot to change the inform IP address in the Controller UI, and broke connectivity between my USG and the Controller. I spent over an hour figuring out how to re-adopt a USG, dancing around DHCP, manually setting IP address, heavy utilization of arp -a, and wearing out my thumbs googling from my phone (the joys of breaking the home internet!). Don’t be like me – if you’re going to change the default subnet, make sure you change all the references to the default.
That’s…basically it. I’m currently using my old Orange Livebox in AP mode, until I budget for an Unifi AP – I’m thinking AP-AC Pro should cover my whole house adequately. I rebuilt my network, set my port forwarding rules, set some static IPs, and am figuring out how to re-integrate Pi-Hole into all of this again. I’m only one sleepless night into my UniFi journey, but I’ve gotta say – so far, it’s pretty great. My publicly hosted sites (such as this blog!) are more stable, more responsive, quicker to load, and being able to track in/out bandwidth in the UniFi Controller is pretty nice. Looking forward to adding on some more gear soon!